experimental realms / citadel integration

shw-merge
dma 6 years ago
parent 20c648026a
commit 76b194840a

@ -17,8 +17,8 @@ import (
"io/ioutil"
"os"
"os/signal"
"strings"
"strconv"
"strings"
"sync"
"syscall"
"time"
@ -29,6 +29,8 @@ import (
"github.com/gotk3/gotk3/gdk"
"github.com/gotk3/gotk3/glib"
"github.com/gotk3/gotk3/gtk"
"github.com/godbus/dbus"
)
type promptModes uint
@ -55,6 +57,7 @@ type appShortcuts struct {
type cbPromptAdd func(guid, path, icon, proto string, pid int, ipaddr, hostname string, port, uid, gid int,
origin, timestamp string, is_socks bool, optstring string, sandbox string, action int) bool
type cbPromptRemove func(string)
var cbPromptAddRequest cbPromptAdd = nil
var cbPromptRemoveRequest cbPromptRemove = nil
@ -123,7 +126,6 @@ type fwApp struct {
ozProfiles []string
}
/*
* App Setup
*/
@ -414,7 +416,6 @@ func (fa *fwApp) buildAppMenu() {
}
}
/*
* Windows
*/
@ -573,7 +574,6 @@ func (fa *fwApp) showShortcutsWindow() {
}
}
/*
* Private Utils
*/
@ -592,7 +592,6 @@ func (fa *fwApp) populateWindow() {
fa.rlPermanent.loadRules(true)
fa.rlPermanent.reloadRules(tt)
if fa.boxSession == nil {
fa.boxSession, _ = gtk.ListBoxNew()
fa.swRulesSession.Add(fa.boxSession)
@ -605,7 +604,6 @@ func (fa *fwApp) populateWindow() {
fa.rlSession.loadRules(true)
fa.rlSession.reloadRules(tt)
if fa.boxProcess == nil {
fa.boxProcess, _ = gtk.ListBoxNew()
fa.swRulesProcess.Add(fa.boxProcess)
@ -630,7 +628,6 @@ func (fa *fwApp) populateWindow() {
fa.rlSystem.loadRules(true)
fa.rlSystem.reloadRules(tt)
}
func (fa *fwApp) repopulateWindow() {
@ -727,7 +724,6 @@ func (fa *fwApp) switchStackItem(dir switcherDirection) {
fa.onStackChanged()
}
/*
* Handlers
*/
@ -853,7 +849,6 @@ func (fa *fwApp) onRulesKeyPress(i interface{}, e *gdk.Event) bool {
return true
}
/*
* Users, Groups
*/
@ -895,7 +890,6 @@ func (fa *fwApp) cacheGroups() error {
return nil
}
/*
* Exported
*/
@ -924,8 +918,17 @@ func (fa *fwApp) ConnectShortcut(accel, group, title string, w gtk.Window, actio
})
}
func (fa *fwApp) LookupUsername(uid int32) string {
func (fa *fwApp) LookupUsername(realm string, uid int32) string {
// TODO: needs to be realm aware
// TODO: cache ^^
if realm != "" {
user := ""
var db, _ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
obj.Call("com.subgraph.realms.Manager.RealmUsernameFromUID", 0, realm, strconv.Itoa(int(uid))).Store(&user)
return user
}
if uid == -1 {
return "any"
}
@ -938,8 +941,17 @@ func (fa *fwApp) LookupUsername(uid int32) string {
return "unknown"
}
func (fa *fwApp) LookupGroup(gid int32) string {
func (fa *fwApp) LookupGroup(realm string, gid int32) string {
// TODO: needs to be realm aware
// ^^ cache
if realm != "" {
group := ""
var db, _ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
obj.Call("com.subgraph.realms.Manager.RealmGroupnameFromGID", 0, realm, strconv.Itoa(int(gid))).Store(&group)
return group
}
if gid == -1 {
return "any"
}
@ -952,7 +964,6 @@ func (fa *fwApp) LookupGroup(gid int32) string {
return "unknown"
}
/*
* Global Utils
*/
@ -990,7 +1001,6 @@ func readColonFile(r io.Reader, fn func(line []byte)) (v interface{}, err error)
return nil, bs.Err()
}
/*
* Main
*/

@ -226,13 +226,13 @@ func (rr *ruleRow) update() {
tt = tt + " for "
}
if rr.rule.UID > -1 {
tt = tt + rr.rl.app.LookupUsername(rr.rule.UID)
tt = tt + rr.rl.app.LookupUsername(rr.rule.Sandbox, rr.rule.UID)
}
if rr.rule.UID > -1 && rr.rule.GID > -1 {
tt = tt + ":"
}
if rr.rule.GID > -1 {
tt = tt + rr.rl.app.LookupGroup(rr.rule.GID)
tt = tt + rr.rl.app.LookupGroup(rr.rule.Sandbox, rr.rule.GID)
}
rr.gtkLabelTarget.SetText(tt)
}

@ -9,6 +9,8 @@ const St = imports.gi.St;
const CheckBox = imports.ui.checkBox
const ModalDialog = imports.ui.modalDialog;
const Tweener = imports.ui.tweener;
const Extension = imports.misc.extensionUtils.getCurrentExtension();
const Misc = Extension.imports.misc;
const RuleScope = {
APPLY_SESSION: 0,
@ -22,36 +24,47 @@ const DetailSection = new Lang.Class({
Name: 'DetailSection',
_init: function(sandboxed) {
this.actor = new St.BoxLayout({ style_class: 'fw-details-section' });
//this.actor = new St.BoxLayout({ style_class: 'fw-details-section', pack_start: false });
this.actor = new St.BoxLayout({ style_class: 'fw-details-section-container', pack_start: false });
this._cont = new St.BoxLayout({ style_class: 'fw-details-section' });
this._left = new St.BoxLayout({ vertical: true, style_class: 'fw-details-left' });
//this._right = new St.BoxLayout({ vertical: true, style_class: 'fw-details-right' });
this._right = new St.BoxLayout({ vertical: true, style_class: 'fw-details-right' });
this.actor.add_child(this._left);
this.actor.add_child(this._right);
this._more = new St.BoxLayout({ vertical: true, style_class: 'fw-details-right', y_align: Clutter.ActorAlign.CENTER, x_align: St.Align.END });
this._cont.add_child(this._left);
this._cont.add_child(this._right);
this.actor.add_child(this._cont);
this.actor.add_child(this._more);
//this.actor.add_child(this._left);
//this.actor.add_child(this._right);
//this.actor.add_child(this._more);
if (sandboxed) {
this.sandbox = this._addDetails("Realm:");
}
this.ipAddr = this._addDetails("IP Address:");
this.path = this._addDetails("Path:");
this.pid = this._addDetails("Process ID:");
this.origin = this._addDetails("Origin:");
this.origin = this._addDetails("Origin IP address:");
this.user = this._addCheckboxDetails("User:");
this.group = this._addCheckboxDetails("Group:");
this.sandboxed = sandboxed;
if (sandboxed) {
this.sandbox = this._addDetails("Sandbox:");
}
this.optstring = this._addDetails("");
},
_addDetails: function(text, d) {
let title = new St.Label({ style_class: 'fw-detail-title', text: text});
//this._left.add(title, { expand: true, x_fill: false, x_align: St.Align.END});
this._left.add(title, { expand: true, x_fill: false, x_align: St.Align.END});
let msg = new St.Label({ style_class: 'fw-detail-message' });
if (d === undefined) {
this._right.add(msg);
// this._right.add(msg);
this._right.add(msg, { expand: true, x_fill: false, x_align: St.Align.END});
} else {
let inner = new St.BoxLayout({ vertical: false, style_class: 'fw-ugid-apply-checkbox' });
inner.add(msg);
inner.add(d.actor);
let inner = new St.BoxLayout({ vertical: false, style_class: 'fw-ugid-apply-checkbox', x_align: St.Align.END });
//inner.add(msg);
inner.add(msg, { expand: true, x_fill: true, x_align: St.Align.END});
inner.add(d.actor, { x_fill: true, x_align: St.Align.END, expand: true});
this._right.add(inner);
}
return msg;
@ -60,13 +73,14 @@ const DetailSection = new Lang.Class({
_addCheckboxDetails: function(text) {
let title = new St.Label({ style_class: 'fw-detail-title', text: text});
title.hide();
//this._left.add(title, { expand: true, x_fill: false, x_align: St.Align.END});
this._left.add(title, { expand: true, x_fill: false, x_align: St.Align.END});
//let msg = new St.Label({ style_class: 'fw-detail-message' });
let check = new CheckBox.CheckBox("");
check.actor.checked = true;
check.actor.hide();
this._right.add(check.actor);
this._right.add(check.actor, { expand: true, x_align: St.Align.END, x_fill: false});
/*
let inner = new St.BoxLayout({ vertical: false, style_class: 'fw-ugid-apply-checkbox' });
@ -115,10 +129,78 @@ const DetailSection = new Lang.Class({
}
if (sandbox != "") {
this.sandbox.text = sandbox;
//this.sandbox = new St.Label({ style_class: 'fw-detail-message' });
//this._right.remove_child(this.sandbox);
//let yek = new St.Label({ style_class: 'fw-detail-message' });
var [r,g,b] = Misc.pastelColorsFromName(sandbox);
var hexbg = r.toString(16) + g.toString(16) + b.toString(16);
this.sandbox.get_clutter_text().set_markup('<span font_weight="bold" underline_color="#'+hexbg+'"><u>'+sandbox+'</u></span>');
//this._right.add_child(yek);
//this.sandbox.show();
// result_label.get_clutter_text().set_markup('<span foreground="' + styles[stat] + '" underline_color="red">' + Fuzzy.fuzzysort.highlight(r[k], open = '<u>', close = '</u>') + '</span>');
// global.log(hexbg);
/* var _dot = new St.Widget({ style_class: 'realm-running-dot',//'app-well-app-running-dot',
layout_manager: new Clutter.BinLayout(),
x_expand: true, y_expand: true,
x_align: Clutter.ActorAlign.CENTER,
y_align: Clutter.ActorAlign.CENTER });
_dot.style = 'background-color: #'+hexbg+';width: '+width+'px;';
this.sandbox.add_actor(_dot);
this.sandbox = _dot;
_dot.show(); */
}
this.optstring.text = optstring
this.optstring.text = optstring;
let windows = global.get_window_actors();
let tnpid = -1;
let winpids = {};
let t;
let mw;
let x = 0;
let thumb = false;
for (x = 0; x < windows.length; x++) {
mw = windows[x].get_meta_window();
if (typeof mw != 'undefined') {
global.log("pid: "+pid+" mw.get_client_pid(): "+mw.get_client_pid().toString());
winpids[pid] = windows[x].get_meta_window();
if (pid == mw.get_client_pid().toString()) {
t = Misc.getThumbnail(mw);
this._more.add(t);
tnpid = pid;
thumb = true;
break;
}
}
}
if (pid > 1 && tnpid == -1) {
tnpid = Misc.findParentProcessWindow(pid);
global.log(tnpid);
}
if (tnpid > 1 && thumb == false) {
for (x = 0; x < windows.length; x++) {
mw = windows[x].get_meta_window();
if (typeof mw != 'undefined') {
if (tnpid == mw.get_client_pid().toString()) {
t = Misc.getThumbnail(mw);
t.expand = true;
t.x_align = St.Align.END;
t.x_fill = true;
t.y_fill = true;
this._more.add(t);
thumb = true;
break;
}
}
}
}
if (thumb == true) {
this._right.height = this._left.height;
}
}
});
@ -184,7 +266,7 @@ const OptionList = new Lang.Class({
}
this.actor.add_child(this.buttonGroup.actor);
this.items = [];
this._selected;
this._selected = "";
this.tlsGuard = false;
if (sandboxed) {
this.tlsGuard = true;
@ -595,7 +677,9 @@ const PromptDialogHeader = new Lang.Class({
if (!remaining) {
this.waiting.text;
} else {
this.waiting.text = "Remaining: " + remaining;
//ithis.waiting.text = "Remaining: " + remaining;
// this.waiting = new St.Label({style_class: 'fw-prompt-waiting', text: "Remaining: " + remaining});
}
},
@ -782,7 +866,7 @@ const PromptDialog = new Lang.Class({
}
if (sandbox != "") {
application = application + " (sandboxed)"
application = application;
}
this.header.setTitle(application);

@ -134,7 +134,7 @@ const FirewallPromptHandler = new Lang.Class({
return false;
}
let fname = binding.replace(/-([a-z])/g, function (g) { return g[1].toUpperCase(); });
// let fname = binding.replace(/-([a-z])/g, function (g) { return g[1].toUpperCase(); });
let fname = "_on"+ fname[0].toUpperCase() + fname.substr(1);
if (!( fname in this._dialog )) {
log("SGFW: Invalid key binding (1)... " + fname);
@ -291,18 +291,18 @@ const FirewallPromptHandler = new Lang.Class({
}
},
_updateDialogRemainingPrompts: function() {
_updateDialogRemainingPrompts: function() { /*
if (this._dialog === null) {
return;
}
try {
let remaining = (this._guids.length - 1);
if (remaining > 0) {
/*if (remaining > 0) {
this._dialog.updateRemainingPrompts(remaining);
}
} catch(err) {
log("SGFW: Error while updating remaining dialogs count: " + err);
}
}*/
return;
}

@ -76,6 +76,10 @@
font-weight: bold;
}
.fw-details-section-container {
padding: 5px;
}
.fw-details-section {
padding: 20px;
}
@ -113,3 +117,11 @@
padding-top: 2px !important;
vertical-align: middle;
}
.realm-running-dot {
min-width: 15px;
height: 2px;/*3*/
background-color: #ffffff;
padding: 0px 0px 0px 0px;
margin: 0px 0px 0px 0px;
}

@ -269,8 +269,8 @@ func (ds *dbusServer) GetPendingRequests(policy string) (bool, *dbus.Error) {
pc.proto(),
int32(pc.procInfo().UID),
int32(pc.procInfo().GID),
uidToUser(pc.procInfo().UID),
gidToGroup(pc.procInfo().GID),
uidToUser(pc.sandbox(),pc.procInfo().UID),
gidToGroup(pc.sandbox(),pc.procInfo().GID),
int32(pc.procInfo().Pid),
pc.sandbox(),
pc.socks(),

@ -426,7 +426,7 @@ func (p *Policy) filterPendingOne(rule *Rule, guid string) {
continue
}
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.sandbox(),pc.procInfo().UID), gidToGroup(pc.sandbox(),pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter()
if prompter == nil {
@ -465,7 +465,7 @@ func (p *Policy) filterPendingOne(rule *Rule, guid string) {
func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{}
for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.sandbox(),pc.procInfo().UID), gidToGroup(pc.sandbox(),pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter()
if prompter == nil {
@ -606,7 +606,6 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket, timestamp time.Time) {
// return
} else {
ppath = pinfo.ExePath
optstring = fmt.Sprintf("Realm: %s", pinfo.Realm)
cf := strings.Fields(pinfo.CmdLine)
if len(cf) > 1 && strings.HasPrefix(cf[1], "/") {
for _, intp := range _interpreters {
@ -896,7 +895,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
}
if res != nil {
optstr = "Realm: " + OzInitPids[i].Name
//optstr = "Realm: " + OzInitPids[i].Name
res.Realm = OzInitPids[i].Name
res.Sandbox = OzInitPids[i].Name
res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid)
break

@ -158,7 +158,7 @@ func monitorPromptFDs(pc pendingConnection) {
//fmt.Printf("ADD TO MONITOR: %v | %v / %v / %v\n", pc.policy().application, guid, pid, fd)
if pid == -1 || fd == -1 || prompter == nil {
log.Warningf("Unexpected error condition occurred while adding socket fd to monitor: %d %d %v",pid, fd, prompter)
log.Warning("Unexpected error condition occurred while adding socket fd to monitor");
return
} else {
log.Warning("No unexpected errors");
@ -315,8 +315,8 @@ func (p *prompter) processConnection(pc pendingConnection) {
pc.proto(),
int32(pc.procInfo().UID),
int32(pc.procInfo().GID),
uidToUser(pc.procInfo().UID),
gidToGroup(pc.procInfo().GID),
uidToUser(pc.sandbox(), pc.procInfo().UID),
gidToGroup(pc.sandbox(), pc.procInfo().GID),
int32(pc.procInfo().Pid),
pc.sandbox(),
pc.socks(),
@ -589,7 +589,16 @@ func lookupGroup(gid int) string {
return g.Name
}
func uidToUser(uid int) string {
func uidToUser(realm string, uid int) string {
// TODO: cache
if (realm != "") {
user := "";
var db,_ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
obj.Call("com.subgraph.realms.Manager.RealmUsernameFromUID", 0, realm, strconv.Itoa(uid)).Store(&user)
return user;
}
uname, ok := userMap[uid]
if ok {
return uname
@ -599,7 +608,16 @@ func uidToUser(uid int) string {
return uname
}
func gidToGroup(gid int) string {
func gidToGroup(realm string, gid int) string {
// TODO: cache
if (realm != "") {
group := "";
var db,_ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
obj.Call("com.subgraph.realms.Manager.RealmGroupnameFromGID", 0, realm, strconv.Itoa(gid)).Store(&group)
return group;
}
gname, ok := groupMap[gid]
if ok {
return gname

@ -200,7 +200,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
//log.Notice("! Skipping comparison of mismatching PIDs")
continue
}
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) {
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.Sandbox, pinfo.UID), gidToGroup(pinfo.Sandbox, pinfo.GID), pinfo.Sandbox) {
// log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {

Loading…
Cancel
Save